with the holograms themselves hiding the redeem part to allow for changing between mutliple hands. im now STARTING to consider this as a more secure way of transferring bitcoin without electronic devices needed between each party for daily exchange. as oppose to a one use item like a gift voucher or cheque.

i still see gaps in security where people can say "but im still typing my passphrase into some one elses website"

the only thing i can think to quash those thoughts is that people have their own offline program much like vanitygen or brain wallet which produces the addresses but adding to that it also encrypts the private key locally based on the passphrase they chose.basically asking users to type in passphrase and how many addresses to produce and it produces a list of clear public addresses and bip38 codes. (no private key in sight) they copy and paste the list to you where you never know the passphrase to encrypt it and are not involved with the encryption process. all you do is just print the public address and bip38 QR Codes to the relevant load/redeem section.

and at redemption. the user then scans the redeem code into the local program(same program as last paragraph) it requests the passphrase and converts it into a usable private key to paste into blockchain.info/mtgox.

by making it slightly harder for people to redeem them in under 3 seconds will actually make people prefer to keep them in circulation for longer.. in theory anyway.. which adds more benefit to the whole reason of paper money, as oppose to cheques/gift voucher methods. meaning that people are not easily tempted to rip off the hologram as soon as they get their hands on a note.

Do not take any information given on this forum on face value. Please do your own due diligence and respect what is written here as both opinion and information gleaned from experience. If you wish to seek legal FACTUAL advice, then seek the guidance of a LEGAL specialist

with the holograms themselves hiding the redeem part to allow for changing between mutliple hands. im now STARTING to consider this as a more secure way of transferring bitcoin without electronic devices needed between each party for daily exchange. as oppose to a one use item like a gift voucher or cheque.

i still see gaps in security where people can say "but im still typing my passphrase into some one elses website"

the only thing i can think to quash those thoughts is that people have their own offline program much like vanitygen or brain wallet which produces the addresses but adding to that it also encrypts the private key locally based on the passphrase they chose.basically asking users to type in passphrase and how many addresses to produce and it produces a list of clear public addresses and bip38 codes. (no private key in sight) they copy and paste the list to you where you never know the passphrase to encrypt it and are not involved with the encryption process. all you do is just print the public address and bip38 QR Codes to the relevant load/redeem section.

and at redemption. the user then scans the redeem code into the local program(same program as last paragraph) it requests the passphrase and converts it into a usable private key to paste into blockchain.info/mtgox.

by making it slightly harder for people to redeem them in under 3 seconds will actually make people prefer to keep them in circulation for longer.. in theory anyway.. which adds more benefit to the whole reason of paper money, as oppose to cheques/gift voucher methods. meaning that people are not easily tempted to rip off the hologram as soon as they get their hands on a note.

I only see a benefit for encrypted paper bills if I am the only one who knows the pass phrase. If someone writes their phrase on the bill and then pays me with it, I don't see any benefit over having an unencrypted private key. In fact, making it harder to spend doesn't even sound like a good thing to me.

I only see a benefit for encrypted paper bills if I am the only one who knows the pass phrase. If someone writes their phrase on the bill and then pays me with it, I don't see any benefit over having an unencrypted private key. In fact, making it harder to spend doesn't even sound like a good thing to me.

If the person who manufactured the bill is someone you trust and is different from the person who wrote the passphrase, then you know the passphrase writer doesn't know the private key. It's the same scenario if a reseller were to buy my two-factor bar and I provide the key under the hologram and he provides the passphrase, giving me only the intermediate code. The trust footprint is reduced to just the possibility that we're colluding (or the possibility he knows of a way to read under my hologram undetected).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper wallets instead.

I only see a benefit for encrypted paper bills if I am the only one who knows the pass phrase. If someone writes their phrase on the bill and then pays me with it, I don't see any benefit over having an unencrypted private key. In fact, making it harder to spend doesn't even sound like a good thing to me.

If the person who manufactured the bill is someone you trust and is different from the person who wrote the passphrase, then you know the passphrase writer doesn't know the private key. It's the same scenario if a reseller were to buy my two-factor bar and I provide the key under the hologram and he provides the passphrase, giving me only the intermediate code. The trust footprint is reduced to just the possibility that we're colluding (or the possibility he knows of a way to read under my hologram undetected).

I understand that it helps a bit with trust in some situations. I was responding to franky saying that this would keep the bills in circulation longer. I don't agree since in that case you probably do not know who printed the bill.

The seals arrived in the mail today, so I've now finished my first batch of BTC1 notes:

[Edit by Michael_S: I removed one image for brevity reasons]

I printed them on 100% cotton paper, so they should be nice and durable. Time to try putting some of them into circulation...

Nice indeed! But one question about these holograms (from ebay/sdm-security, I suppose, 1.125", right?):

I understand they are tamper-evident in the sense that it is not possible to remove them without leaving a trace, i.e. I cannot remove them and stick them back to the note as if nothing happened.

BUT: Note that these are publicly available holograms, not special ones like the ones from casascius. So what if I remove them and stick a new one (I also have an ebay account! ) of the same type over it. Will this be noticeable?If not, maybe it is saver (depending on one's degree of security needs) to add in addition some transparent adhesive tape (scotch tape or so) stripes over the four hologram's edges and have them range over the complete width and height of the note and wrapping around the note's edges:

Now I can only tamper with the security hologram if I remove the tape stripes first. And this is probably not possible without violating the note's surface (depending on the note's material...any ideas?), so the tape stripes are also tamper-evident to some extend. Since they are transparent (unlike the hologram!), just sticking new stripes over it cannot conceal that the surface with the ink/toner was violated from tearing off the original stripes.

And then, thinking one step further, one may also consider relying solely on the tape-based seal without any hologram at all (this is what I have considered in my modification of the bitaddress.org tool - it can optionally print out two black rectangles that take the place of the hologram... ["optional" because if not needed no unnecessary waste of toner]).

I understand that it helps a bit with trust in some situations. I was responding to franky saying that this would keep the bills in circulation longer. I don't agree since in that case you probably do not know who printed the bill.

my theory was if casascius was the only bill printer using his trademarked holograms which authenticates they are his bills. for instance. then also knowing that casascius doesn't know the passphrase. and i dont know the private key because all i seen and copy and pasted to him was the bip38 version.

.. break for 50 seconds of thinking...

apart from the fact that i could possibly have kept the bip38 lists and used my passphrase to decrypt it.. now i come to think about it.. its still not a 100% trust system.

.. break for 50 seconds of thinking...

maybe the vanity program i proposed casascius making with the added bip38 security does not reveal to me the bip38 but sends it via API to casascius. so when ordering bitnotes from casascius. i just type in a passphrase into the vanity/brainwallet program and an amount of bills. and the only response i see is "transaction sent - please allow 10 days for delivery"

thus i only know the passphrase. casascius's servers only sees the bip38, the people whos hands it changes between only see the load address and the passphrase (not private/bip38) and the end user who finally gives up circulating the notes and cashes out.. will get to see them both after ripping off the hologram to get to the bip38 and reading the hand written passphrase on the reverse side.

to casascius:i love your designs. i also see how your avoiding double sided printing. but maybe the passphrase could be hand written on the back along with the redeem instructions, much like signing the backstrip of a credit card. if you catch my drift

Do not take any information given on this forum on face value. Please do your own due diligence and respect what is written here as both opinion and information gleaned from experience. If you wish to seek legal FACTUAL advice, then seek the guidance of a LEGAL specialist

I understand that it helps a bit with trust in some situations. I was responding to franky saying that this would keep the bills in circulation longer. I don't agree since in that case you probably do not know who printed the bill.

my theory was if casascius was the only bill printer using his trademarked holograms which authenticates they are his bills. for instance. then also knowing that casascius doesn't know the passphrase. and i dont know the private key because all i seen and copy and pasted to him was the bip38 version.

.. break for 50 seconds of thinking...

apart from the fact that i could possibly have kept the bip38 lists and used my passphrase to decrypt it.. now i come to think about it.. its still not a 100% trust system.

.. break for 50 seconds of thinking...

maybe the vanity program i proposed casascius making with the added bip38 security does not reveal to me the bip38 but sends it via API to casascius. so when ordering bitnotes from casascius. i just type in a passphrase into the vanity/brainwallet program and an amount of bills. and the only response i see is "transaction sent - please allow 10 days for delivery"

thus i only know the passphrase. casascius's servers only sees the bip38 and the end user who finally gives up circulating the notes and cashes out.. will get to see them both after ripping off the hologram and reading the hand written passphrase on the reverse side.

Sounds like too much trust is required for that to work. It's safer and easier to just print them yourself without any encryption.

I really like the idea of paper wallets, I just think they need to be refined a bit.

Here are all the ways I could see using paper.

1) Note with address and unencrypted private key. Useful for quick offline storage and paying friends. If you are paid by someone untrusted with this note, you can easily sweep the private key to a new address. Sweeping from the bill may incur a fee depending on how fresh the coins are. The funds could potentially be stolen by someone peeking over your shoulder unless you have some sort of sticker or something covering the private key.

2) Note with address and encrypted private key. Useful for cheap, easy, and secure offline storage. The funds would be protected from someone peeking over your shoulder unless you don't cover the private key and you print the passphrase on the note.

3) Note with address and BIP38 encrypted key. Useful for secure offline storage on pretty paper or in a coin that would be too hard to make yourself. If you are paid with this by someone untrusted, you can relatively easily sweep the private key to a new address assuming you know the passphrase. The funds would be protected from someone peeking over your shoulder as long as the code is covered by a sticker and you don't print the passphrase on the note. This is what I would want to buy to store in a bank safe.

4) Note with address and no private key. The key is kept elsewhere, either digitally or printed. This would be useful for accepting bitcoin payments on the go when you can't load your wallet app because your smartphone's battery is dead.

5) Note with just a private key (encrypted or not). Not really sure how useful as it would require some work to securely check the balance. A note with just an encrypted private key could be very small.

I wrote a quick and dirty python script last night for printing codes. It takes an electrum wallet, an image (I've been using Psy's beautiful note, but any will work) and a config file with x,y coordinates for the qr codes and then generates a few different things using electrum. Eventually, I want each note to look very different so they can be easily distinguished. I'll throw it on github tonight or tomorrow once it works well enough. I wrote it not because I don't trust Casascius' utility, but rather because I don't like running windows.

Note 1: Uses a randomly generated (and promptly discarded) electrum wallet to generate the addresses on each note. I leave these notes unfunded until I need to use them, but they could be funded right away. Losing the note loses the funds. If I want to accept a payment, I have the other person pay to the public qr code and then I have a funded bill. If I want to pay someone else, I pay to the note's address and then hand it to the other person. This requires that they trust me at least a little bit. I could, for example, not print the actual private key on the bill, or sweep the funds before they have a chance to. Best case is that they have their own notes printed up, and I can scan one of their public qr codes and then they have no need to trust me. These can stay in circulation, but I don't think they should as there is no guarantee that I didn't keep the private keys for myself.

Note 2: Uses an electrum wallet to generate addresses and keys for each note. I keep this wallet file somewhere safe and offline. I can leave these notes unfunded or fund them as I print them. If I ever lose a note, I can still recover the funds through electrum. I can use these like checks. If I want to place a "stop order" I can do so until the funds have been swept elsewhere. I like these because I am less wary of losing them or having them stolen. If I pay someone with these, they should sweep the funds right away, and not keep them in circulation as I admit to having the private keys.

Note 3: Uses a deseeded electrum wallet to generate addresses, but not keys, for each note. I use these notes to easily accept payments to my savings account. I can easily and securely print off an unlimited number of these with a system connected to the internet without risk of having any funds stolen. These are only useful for accepting payments, and not for paying others. I'm considering printing the master_public_key where the private key would go so that you can tell which wallet the funds are in.

Now my main problem is a crappy printer. Any recommendations for cheap color printers that don't have wifi that handle that cotton paper well? Also, any recommendations for cotton paper?

the idea i said doesn't involve giving any one person trust as no one person sees all the info...allowing for circulation to happen between complete strangers without the worry of trust.

by you printing them off yourself the person you hand it to has to trust that you dont have the info stored elsewhere to then wipe the address clean once they walk 3 paces away from you. so encrypted or not/hologram or not you have still seen the private key or the bip38 to have had the opportunity to keep a copy to redeem whenever you like.

if you are seeking a one use only method between you and a friend for quick easy wallet transfer without having to have a smart phone on you then it would be more like a giftvoucher/cheque kind of thing although the paper and ink is a waste for a one time use. thats what smart phones are for, or at worse case just the private key QR code on a small piece of paper you just hand to your friend and they instantly scan and redeem the funds. which wont need any security because you have been the producer you have seen all the info. so encryption is worthless.

if you seek long term storage for youself in paper form but don't want thieves breaking into your safe, or nosy neighbours seeing the notes and redeeming it. then a bitcoin bond is for you. where it would only show the public key on the front bip38 on the back and you only write the passphrase in your Will not on the bond.

Do not take any information given on this forum on face value. Please do your own due diligence and respect what is written here as both opinion and information gleaned from experience. If you wish to seek legal FACTUAL advice, then seek the guidance of a LEGAL specialist

by you printing them off yourself the person you hand it to has to trust that you dont have the info stored elsewhere to then wipe the address clean once they walk 3 paces away from you. so encrypted or not/hologram or not you have still seen the private key or the bip38 to have had the opportunity to keep a copy to redeem whenever you like.

if you are seeking a one use only method between you and a friend for quick easy wallet transfer without having to have a smart phone on you then it would be more like a bitcoin bond/giftvoucher/cheque kind of thing which wont need any security as you have been the producer of all 3 stages, you have seen all the info.

the idea i said doesnt involve giving any one person trust as no one person sees all the info...allowing for circulation to happen between complete strangers without the worry of trust. the address generator/encrypter/api program i said would be open source for people to see that casasius only receives the bip38 and public address. and the program user only knows the passphrase and never sees the bip38 as the program doesnt show it and the notes delivered to him are already covered by the hologram.leaving only the redeemer able to get at all the info once they remove the hologram and read the passphrase on the back to match it up

I don't think it's possible if you don't know the issuer. Once the bill has changed hands a few times, how are you supposed to know that the bill you are holding was made securely by multiple parties or made by someone who knows all the private parts or made by parties that are colluding?

What if there is nothing under that security sticker? BIP 38 makes it somewhat better with the encryption key having a hash of the address exposed, but I'll have to think more about BIP 38 since I just saw it today.

Additionally, I could make a bill that looks exactly like whatever multifactor bill you come up with, but I know all the parts. I then distribute the bills and if someone trusts the security measures, it won't get back to me.

I don't think it's possible if you don't know the issuer. Once the bill has changed hands a few times, how are you supposed to know that the bill you are holding was made securely by multiple parties or made by someone who knows all the private parts or made by parties that are colluding?

What if there is nothing under that security sticker? BIP 38 makes it somewhat better with the encryption key having a hash of the address exposed, but I'll have to think more about BIP 38 since I just saw it today.

Additionally, I could make a bill that looks exactly like whatever multifactor bill you come up with, but I know all the parts. I then distribute the bills and if someone trusts the security measures, it won't get back to me.

the hologram which only casasius produces.. never resells separately. insures its a casasius multiparty note and not a privately printed note where the producer has seen the private info

Do not take any information given on this forum on face value. Please do your own due diligence and respect what is written here as both opinion and information gleaned from experience. If you wish to seek legal FACTUAL advice, then seek the guidance of a LEGAL specialist

the hologram which only casasius produces.. never resells separately. insures its a casasius multiparty note and not a privately printed note where the producer has seen the private info

I probably won't create notes of my own, I don't own any custom holograms that would cover a QR code with room to spare to not stick to it.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper wallets instead.

the hologram which only casasius produces.. never resells separately. insures its a casasius multiparty note and not a privately printed note where the producer has seen the private info

The less centralized solution, more in the spirit of bitcoin, is to sell only the hologram. This should contain something like the PGP signed email address of anyone wanting to start issuing their own notes. Still a chain of trust, but a short one: casascius has to be trusted only to sell his customized hologram stickers to the owner of the email address. After that the one remaining link is to trust the local issuer, identified by this very email address.

the hologram which only casasius produces.. never resells separately. insures its a casasius multiparty note and not a privately printed note where the producer has seen the private info

The less centralized solution, more in the spirit of bitcoin, is to sell only the hologram. This should contain something like the PGP signed email address of anyone wanting to start issuing their own notes. Still a chain of trust, but a short one: casascius has to be trusted only to sell his customized hologram stickers to the owner of the email address. After that the one remaining link is to trust the local issuer, identified by this very email address.

Everyone trusting a list issued by one person is not a "less centralized solution"...

Yes it is. Centralized manufacturing of the hologram is a practical and economical way of identifying the issuer of the notes, besides making them hard to copy.

It will be nothing like a central bitcoin bank issuing all notes, which opens for the possibility of all notes being redeemed by a scammer holding all private keys. This happening with distributed issuing will have only local impact, and is also far less likely to happen.

Yes it is, centralized manufacturing of the hologram is a practical and economical way of identifying the issuer of the notes - and making them hard to forge also.

It will be nothing like a central bitcoin bank issuing all notes, which opens the possibility for all notes being redeemed by a scammer holding all private keys. The possibility for this happening with distributed issuing will have only local impact, and will be far less likely to happen.

A CENTRALIZED manufacturer is a problem.

IMO, for paper bills to work and remain in circulation, there has to be a 100% way for any party to validate that their bill is secure. The bills presented here can only be fully trusted if you are part of the manufacturing process.

Bitcoin is impossible to counterfeit. The proposed bills are possible to counterfeit. Any solution where counterfeiting could be a problem is a non-starter for me.

The proposed bills are possible to counterfeit. Any solution where counterfeiting could be a problem is a non-starter for me.

I don´t know much about the security provided by a hologram sticker, but all I have said so far is on the assumption that these can be made as hard to counterfeit (or even harder) than ordinary bank cash notes.

The manufacturer of the holograms would then be the only one able to easily counterfeit notes. But this is the very same issue you have already with the manufacturers of ordinary bank notes. Only this type of insider-counterfeiting scheme of bitcoin notes would be discovered way earlier by the process of people redeeming some of their notes to be used in a web shop or whatever.

I have created some bitcoin note reverse side designs in the context of my activity of adapting the bitaddress.org html-tool to be an easy-to-use and universal bitcoin note printing tool [with Firefox of course, not with Opera or Chrome!].

The designs are included in my updated zip file (9.3 MB) (the main reason for the size are the many png files, the html file is just < 500kB).

UPDATE: Click here for version 4 with some fixes of the rear side images and many new features of the tool (10.3 MB)

The previous designs have been overhauled such that the text is now printed at aposition on the paper that is now much better readable when printing the bitcoin noteswith my "modified bitaddress.org tool".

<> I took into account that the bitcoin note, when printed out, has an approx. size of 12.85 x 6.9 cm.<> I also took into account that the left margin between the paper edge and the left edge of the brinted bitcoin note, when printing out, can be between 0.0 and 3.0 cm, which should cover all user scenarios.<> I also took into accout that a hologram may be sticked onto the rear side of the bitcoin note, where the private key QR code is located. Even then, all useful information provided at the back side is still 100% visible, irrespective of the vertical offset of the printed note with respect to this rear-side design.

Under all these circumstances the new designs are always suitable, i.e. the textinformation is accessible in an optimum way to the holder of the note, for all 3 typesof designes:

1) This is true for the 6 standard designs with the name "bitcoin_note_reverse_bw_*_v2" or "bitcoin_note_reverse_col_*_v2".

2) This is also true for the 3 designs "bitcoin_note_reverse_INFOS_*", that are particularly useful as they give all the most important first infos to a holder who is new to bitcoin (important when used for promotional purposes!)

3) The 2 stereoscopic designs "bitcoin_note_reverse-STEREO3D_*" provide a steographic view (this technology has experienced a hype in the early 90ies, some may remember). You can see a deep 3-dimensional impression of a 3-dimensional structure that goes step-wise up and down as you sweep your eyes from top to bottom. This technical gimmick should tell the bolder (and bitcoin-newbie) something like: "There is more to bitcoin than what you may think at first glance. If you have a DEEPER LOOK INTO IT, you will discover the true possibilities of bitcoin."

The binary code of 0s and 1s that you can find in all the new desings simply containsthe ASCII codes of the words "VIRES IN NUMERIS" (which is Latin for "Strength in Numbers"),or sometimes the letters read "BTC VIRES IN NUMERIS" or "VIRESINNUMERIS" (w/o blanks),i.e. there is no political message hidden in these digits (which I consider important).

The seals arrived in the mail today, so I've now finished my first batch of BTC1 notes:

[Edit by Michael_S: I removed one image for brevity reasons]

I printed them on 100% cotton paper, so they should be nice and durable. Time to try putting some of them into circulation...

Nice indeed! But one question about these holograms (from ebay/sdm-security, I suppose, 1.125", right?):

Yes.

Quote

I understand they are tamper-evident in the sense that it is not possible to remove them without leaving a trace, i.e. I cannot remove them and stick them back to the note as if nothing happened.

BUT: Note that these are publicly available holograms, not special ones like the ones from casascius. So what if I remove them and stick a new one (I also have an ebay account! ) of the same type over it. Will this be noticeable?If not, maybe it is saver (depending on one's degree of security needs) to add in addition some transparent adhesive tape (scotch tape or so) stripes over the four hologram's edges and have them range over the complete width and height of the note and wrapping around the note's edges:

Now I can only tamper with the security hologram if I remove the tape stripes first. And this is probably not possible without violating the note's surface (depending on the note's material...any ideas?), so the tape stripes are also tamper-evident to some extend. Since they are transparent (unlike the hologram!), just sticking new stripes over it cannot conceal that the surface with the ink/toner was violated from tearing off the original stripes.

It seems to me that a would-be scammer could slice off the cap with an X-Acto knife or a razor blade, scan the QR code, and carefully apply a second layer of tape. Subsequent recipients of the note probably wouldn't notice until it was too late.

The seal leaves some residue behind; applying a replacement over it would leave some irregularities around the edge. Whether that would be more or less noticeable than a second layer of Scotch tape is left as an exercise for the reader.

Neither approach is likely 100% cheatproof. A custom or semi-custom seal might improve security a bit, but at what expense? Probably nothing short of a custom hologram (like what Casascius uses) would be truly secure, but the setup charges and minimum orders likely make that cost-prohibitive. The supplier I'm using can customize their designs with an overprint. That then raises another question: would they offer that same customization to all takers, or would it be for your exclusive use?

Neither approach is likely 100% cheatproof. A custom or semi-custom seal might improve security a bit, but at what expense? Probably nothing short of a custom hologram (like what Casascius uses) would be truly secure, but the setup charges and minimum orders likely make that cost-prohibitive. The supplier I'm using can customize their designs with an overprint. That then raises another question: would they offer that same customization to all takers, or would it be for your exclusive use?

It seems to me that a would-be scammer could slice off the cap with an X-Acto knife or a razor blade, scan the QR code, and carefully apply a second layer of tape. Subsequent recipients of the note probably wouldn't notice until it was too late.

A last resort for tamper proofing is to apply the lottery scratch card method of rubbery sealing over the private key. But then the note might have to be in plastic?. It for sure will get a very ugly rubbery blob, in place of a beautiful BTC marked hologram .

I can´t imagine high tech is needed to apply the rubber (?) covering over the private key, and it can´t cost much as it is already in widespread use for cheap lottery tickets.